CORD-2741 eliminate dead policy code
Change-Id: I027a485b49485ec4acd51c03964f353451f64d12
diff --git a/xos/core/acl.py b/xos/core/acl.py
deleted file mode 100644
index 0ee0d2b..0000000
--- a/xos/core/acl.py
+++ /dev/null
@@ -1,152 +0,0 @@
-
-# Copyright 2017-present Open Networking Foundation
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-
-from fnmatch import fnmatch
-
-"""
- A General-purpose ACL mechanism.
-
- [allow | deny] <type_of_object> <text_pattern>
-
- "allow all" and "deny all" are shorthand for allowing or denying all objects.
- Lines are executed from top to bottom until a match was found, typical
- iptables style. An implicit 'deny all' exists at the bottom of the list.
-
- For example,
- allow site Max Planck Institute
- deny site Arizona
- allow region US
- deny user scott@onlab.us
- allow user *@onlab.us
-"""
-class ACLValidationError(Exception): pass
-
-class AccessControlList:
- def __init__(self, aclText=None):
- self.rules = []
- if aclText:
- self.import_text(aclText)
-
- def import_text(self, aclText):
- # allow either newline or ';' to separate rules
- aclText = aclText.replace("\n", ";")
- for line in aclText.split(";"):
- line = line.strip()
- if line.startswith("#"):
- continue
-
- if line=="":
- continue
-
- parts = line.split()
-
- if len(parts)==2 and (parts[1]=="all"):
- # "allow all" has no pattern
- parts = (parts[0], parts[1], "")
-
- if len(parts)!=3:
- raise ACLValidationError(line)
-
- (action, object, pattern) = parts
-
- if action not in ["allow", "deny"]:
- raise ACLValidationError(line)
-
- if object not in ["site", "user", "all"]:
- raise ACLValidationError(line)
-
- self.rules.append( (action, object, pattern) )
-
- def __str__(self):
- lines = []
- for rule in self.rules:
- lines.append( " ".join(rule) )
- return ";\n".join(lines)
-
- def test(self, user, site=None):
- for rule in self.rules:
- if self.match_rule(rule, user):
- return rule[0]
- return "deny"
-
- def match_rule(self, rule, user, site=None):
- (action, object, pattern) = rule
-
- if (site==None):
- site = user.site
-
- if (object == "site"):
- if fnmatch(site.name, pattern):
- return True
- elif (object == "user"):
- if fnmatch(user.email, pattern):
- return True
- elif (object == "all"):
- return True
-
- return False
-
-
-if __name__ == '__main__':
- # self-test
-
- class fakesite:
- def __init__(self, siteName):
- self.name = siteName
-
- class fakeuser:
- def __init__(self, email, siteName):
- self.email = email
- self.site = fakesite(siteName)
-
- u_scott = fakeuser("scott@onlab.us", "ON.Lab")
- u_bill = fakeuser("bill@onlab.us", "ON.Lab")
- u_andy = fakeuser("acb@cs.princeton.edu", "Princeton")
- u_john = fakeuser("jhh@cs.arizona.edu", "Arizona")
- u_hacker = fakeuser("somehacker@foo.com", "Not A Real Site")
-
- # check the "deny all" rule
- acl = AccessControlList("deny all")
- assert(acl.test(u_scott) == "deny")
-
- # a blank ACL results in "deny all"
- acl = AccessControlList("")
- assert(acl.test(u_scott) == "deny")
-
- # check the "allow all" rule
- acl = AccessControlList("allow all")
- assert(acl.test(u_scott) == "allow")
-
- # allow only one site
- acl = AccessControlList("allow site ON.Lab")
- assert(acl.test(u_scott) == "allow")
- assert(acl.test(u_andy) == "deny")
-
- # some complicated ACL
- acl = AccessControlList("""allow site Princeton
- allow user *@cs.arizona.edu
- deny site Arizona
- deny user scott@onlab.us
- allow site ON.Lab""")
-
- assert(acl.test(u_scott) == "deny")
- assert(acl.test(u_bill) == "allow")
- assert(acl.test(u_andy) == "allow")
- assert(acl.test(u_john) == "allow")
- assert(acl.test(u_hacker) == "deny")
-
- print acl
-
diff --git a/xos/core/models/deployment.py b/xos/core/models/deployment.py
index ffc46e5..0098891 100644
--- a/xos/core/models/deployment.py
+++ b/xos/core/models/deployment.py
@@ -15,40 +15,7 @@
from xos.exceptions import *
from deployment_decl import *
-from core.acl import AccessControlList
class Deployment(Deployment_decl):
class Meta:
proxy = True
-
- def get_acl(self):
- return AccessControlList(self.accessControl)
-
- def test_acl(self, slice=None, user=None):
- potential_users=[]
-
- if user:
- potential_users.append(user)
-
- if slice:
- potential_users.append(slice.creator)
- for priv in slice.sliceprivileges.all():
- if priv.user not in potential_users:
- potential_users.append(priv.user)
-
- acl = self.get_acl()
- for user in potential_users:
- if acl.test(user) == "allow":
- return True
-
- return False
-
- @staticmethod
- def select_by_acl(user):
- ids = []
- for deployment in Deployment.objects.all():
- acl = deployment.get_acl()
- if acl.test(user) == "allow":
- ids.append(deployment.id)
-
- return Deployment.objects.filter(id__in=ids)
diff --git a/xos/core/models/instance.py b/xos/core/models/instance.py
index 45215bc..df33590 100644
--- a/xos/core/models/instance.py
+++ b/xos/core/models/instance.py
@@ -20,9 +20,6 @@
class Meta:
proxy = True
- def get_controller (self):
- return self.node.site_deployment.controller
-
def tologdict(self):
d=super(Instance,self).tologdict()
try:
@@ -39,70 +36,3 @@
self.creator = self.caller
super(Instance, self).save(*args, **kwargs)
-
- def all_ips(self):
- ips={}
- for ns in self.ports.all():
- if ns.ip:
- ips[ns.network.name] = ns.ip
- return ips
-
- def all_ips_string(self):
- result = []
- ips = self.all_ips()
- for key in sorted(ips.keys()):
- #result.append("%s = %s" % (key, ips[key]))
- result.append(ips[key])
- return ", ".join(result)
- all_ips_string.short_description = "addresses"
-
- def get_public_ip(self):
- for ns in self.ports.all():
- if (ns.ip) and (ns.network.template.visibility=="public") and (ns.network.template.translation=="none"):
- return ns.ip
- return None
-
- # return an address on nat-net
- def get_network_ip(self, pattern):
- for ns in self.ports.all():
- if pattern in ns.network.name.lower():
- return ns.ip
- return None
-
- # return an address that the synchronizer can use to SSH to the instance
- def get_ssh_ip(self):
- # first look specifically for a management_local network
- for ns in self.ports.all():
- if ns.network.template and ns.network.template.vtn_kind=="MANAGEMENT_LOCAL":
- return ns.ip
-
- # for compatibility, now look for any management network
- management=self.get_network_ip("management")
- if management:
- return management
-
- # if all else fails, look for nat-net (for OpenCloud?)
- return self.get_network_ip("nat")
-
- def get_ssh_command(self):
- if (not self.instance_id) or (not self.node) or (not self.instance_name):
- return None
- else:
- return 'ssh -o "ProxyCommand ssh -q %s@%s" ubuntu@%s' % (self.instance_id, self.node.name, self.instance_name)
-
- def get_public_keys(self):
- from core.models.sliceprivilege import Privilege
- slice_privileges = Privilege.objects.filter(object_id=self.slice.id, object_type='Slice', accessor_type='User')
- slice_users = [User.objects.get(pk = priv.accessor_id) for priv in slice_privileges]
- pubkeys = set([u.public_key for u in slice_users if u.public_key])
-
- if self.creator.public_key:
- pubkeys.add(self.creator.public_key)
-
- if self.slice.creator.public_key:
- pubkeys.add(self.slice.creator.public_key)
-
- if self.slice.service and self.slice.service.public_key:
- pubkeys.add(self.slice.service.public_key)
-
- return pubkeys
diff --git a/xos/core/models/service.py b/xos/core/models/service.py
index 3a6d57b..b6bdccf1 100644
--- a/xos/core/models/service.py
+++ b/xos/core/models/service.py
@@ -22,158 +22,6 @@
KIND = "generic"
- def __init__(self, *args, **kwargs):
- # for subclasses, set the default kind appropriately
- # TODO: rethink this -- remember the class variable bug
- self._meta.get_field("kind").default = self.KIND
- super(Service, self).__init__(*args, **kwargs)
-
- @property
- def serviceattribute_dict(self):
- attrs = {}
- for attr in self.serviceattributes.all():
- attrs[attr.name] = attr.value
- return attrs
-
- def get_scalable_nodes(self, slice, max_per_node=None, exclusive_slices=[]):
- """
- Get a list of nodes that can be used to scale up a slice.
-
- slice - slice to scale up
- max_per_node - maximum numbers of instances that 'slice' can have on a single node
- exclusive_slices - list of slices that must have no nodes in common with 'slice'.
- """
-
- # late import to get around order-of-imports constraint in __init__.py
- from core.models import Node, Instance
-
- nodes = list(Node.objects.all())
-
- conflicting_instances = Instance.objects.filter(
- slice__in=exclusive_slices)
- conflicting_nodes = Node.objects.filter(
- instances__in=conflicting_instances)
-
- nodes = [x for x in nodes if x not in conflicting_nodes]
-
- # If max_per_node is set, then limit the number of instances this slice
- # can have on a single node.
- if max_per_node:
- acceptable_nodes = []
- for node in nodes:
- existing_count = node.instances.filter(slice=slice).count()
- if existing_count < max_per_node:
- acceptable_nodes.append(node)
- nodes = acceptable_nodes
-
- return nodes
-
- def pick_node(self, slice, max_per_node=None, exclusive_slices=[]):
- # Pick the best node to scale up a slice.
-
- nodes = self.get_scalable_nodes(slice, max_per_node, exclusive_slices)
- nodes = sorted(nodes, key=lambda node: node.instances.all().count())
- if not nodes:
- return None
- return nodes[0]
-
- def adjust_scale(self, slice_hint, scale, max_per_node=None, exclusive_slices=[]):
- # late import to get around order-of-imports constraint in __init__.py
- from core.models import Instance
-
- slices = [x for x in self.slices.all() if slice_hint in x.name]
- for slice in slices:
- while slice.instances.all().count() > scale:
- s = slice.instances.all()[0]
- # print "drop instance", s
- s.delete()
-
- while slice.instances.all().count() < scale:
- node = self.pick_node(slice, max_per_node, exclusive_slices)
- if not node:
- # no more available nodes
- break
-
- image = slice.default_image
- if not image:
- raise XOSConfigurationError(
- "No default_image for slice %s" % slice.name)
-
- flavor = slice.default_flavor
- if not flavor:
- raise XOSConfigurationError(
- "No default_flavor for slice %s" % slice.name)
-
- s = Instance(slice=slice,
- node=node,
- creator=slice.creator,
- image=image,
- flavor=flavor,
- deployment=node.site_deployment.deployment)
- s.save()
-
- # print "add instance", s
-
- def get_vtn_src_nets(self):
- nets = []
- for slice in self.slices.all():
- for ns in slice.networkslices.all():
- if not ns.network:
- continue
- # if ns.network.template.access in ["direct", "indirect"]:
- # # skip access networks; we want to use the private network
- # continue
- if "management" in ns.network.name:
- # don't try to connect the management network to anything
- continue
- if ns.network.name in ["wan_network", "lan_network"]:
- # we don't want to attach to the vCPE's lan or wan network
- # we only want to attach to its private network
- # TODO: fix hard-coding of network name
- continue
- for cn in ns.network.controllernetworks.all():
- if cn.net_id:
- net = {"name": ns.network.name, "net_id": cn.net_id}
- nets.append(net)
- return nets
-
- def get_vtn_nets(self):
- nets = []
- for slice in self.slices.all():
- for ns in slice.networkslices.all():
- if not ns.network:
- continue
- if ns.network.template.access not in ["direct", "indirect"]:
- # skip anything that's not an access network
- continue
- for cn in ns.network.controllernetworks.all():
- if cn.net_id:
- net = {"name": ns.network.name, "net_id": cn.net_id}
- nets.append(net)
- return nets
-
- def get_vtn_dependencies_nets(self):
- provider_nets = []
- for tenant in self.subscribed_tenants.all():
- if tenant.provider_service:
- for net in tenant.provider_service.get_vtn_nets():
- if not net in provider_nets:
- net["bidirectional"] = tenant.connect_method!="private-unidirectional"
- provider_nets.append(net)
- return provider_nets
-
- def get_vtn_dependencies_ids(self):
- return [x["net_id"] for x in self.get_vtn_dependencies_nets()]
-
- def get_vtn_dependencies_names(self):
- return [x["name"] + "_" + x["net_id"] for x in self.get_vtn_dependencies_nets()]
-
- def get_vtn_src_ids(self):
- return [x["net_id"] for x in self.get_vtn_src_nets()]
-
- def get_vtn_src_names(self):
- return [x["name"] + "_" + x["net_id"] for x in self.get_vtn_src_nets()]
-
def get_composable_networks(self):
SUPPORTED_VTN_SERVCOMP_KINDS = ['VSG','PRIVATE']
diff --git a/xos/core/models/serviceinstance.py b/xos/core/models/serviceinstance.py
index ac1cd08..7dff675 100644
--- a/xos/core/models/serviceinstance.py
+++ b/xos/core/models/serviceinstance.py
@@ -24,16 +24,7 @@
def __init__(self, *args, **kwargs):
super(ServiceInstance, self).__init__(*args, **kwargs)
- @property
- def tenantattribute_dict(self):
- attrs = {}
- for attr in self.tenantattributes.all():
- attrs[attr.name] = attr.value
- return attrs
-
- # helper function to be used in subclasses that want to ensure
- # service_specific_id is unique
-
+ # TODO: Used by CordSubscriberRoot. Verify whether the usage is necessary.
def validate_unique_service_specific_id(self, none_okay=False):
if not none_okay and (self.service_specific_id is None):
raise XOSMissingField("subscriber_specific_id is None, and it's a required field", fields={
@@ -48,22 +39,6 @@
raise XOSDuplicateKey("service_specific_id %s already exists" % self.service_specific_id, fields={
"service_specific_id": "duplicate key"})
- def get_subscribed_tenants(self, tenant_class):
- """ Return all ServiceInstances of class tenant_class that have a link to this ServiceInstance """
- results=[]
- # TODO: Make query more efficient
- for si in tenant_class.objects.all():
- for link in si.subscribed_links.all():
- if link.provider_service_instance == self:
- results.append(si)
- return results
-
- def get_newest_subscribed_tenant(self, kind):
- st = list(self.get_subscribed_tenants(kind))
- if not st:
- return None
- return sorted(st, key=attrgetter('id'))[0]
-
def save(self, *args, **kwargs):
if hasattr(self, "OWNER_CLASS_NAME"):
owner_class = self.get_model_class_by_name(self.OWNER_CLASS_NAME)
diff --git a/xos/core/models/slice.py b/xos/core/models/slice.py
index 3cf55f4..975ec5a 100644
--- a/xos/core/models/slice.py
+++ b/xos/core/models/slice.py
@@ -22,15 +22,12 @@
NETWORK_CHOICES = ((None, 'Default'), ('host', 'Host'), ('bridged', 'Bridged'), ('noauto', 'No Automatic Networks'))
- @property
- def slicename(self):
- return "%s_%s" % (self.site.login_base, self.name)
-
def save(self, *args, **kwargs):
# set creator on first save
if not self.creator and hasattr(self, 'caller'):
self.creator = self.caller
+ # TODO: Verify this logic is still in use
# only admins change a slice's creator
if 'creator' in self.changed_fields and \
(not hasattr(self, 'caller') or not self.caller.is_admin):
diff --git a/xos/core/models/user.py b/xos/core/models/user.py
index 1268fc5..a2999bf 100644
--- a/xos/core/models/user.py
+++ b/xos/core/models/user.py
@@ -215,19 +215,6 @@
def is_superuser(self):
return False
-# def get_roles(self):
-# from core.models.site import SitePrivilege
-# from core.models.slice import SliceMembership
-#
-# site_privileges = SitePrivilege.objects.filter(user=self)
-# slice_memberships = SliceMembership.objects.filter(user=self)
-# roles = defaultdict(list)
-# for site_privilege in site_privileges:
-# roles[site_privilege.role.role_type].append(site_privilege.site.login_base)
-# for slice_membership in slice_memberships:
-# roles[slice_membership.role.role_type].append(slice_membership.slice.name)
-# return roles
-
def delete(self, *args, **kwds):
# so we have something to give the observer
purge = kwds.get('purge',False)
diff --git a/xos/synchronizers/new_base/SyncInstanceUsingAnsible.py b/xos/synchronizers/new_base/SyncInstanceUsingAnsible.py
index 480ebf5..5690b93 100644
--- a/xos/synchronizers/new_base/SyncInstanceUsingAnsible.py
+++ b/xos/synchronizers/new_base/SyncInstanceUsingAnsible.py
@@ -244,6 +244,7 @@
def delete_record(self, o):
try:
+ # TODO: This may be broken, as get_controller() does not exist in convenience wrapper
controller = o.get_controller()
controller_register = json.loads(o.node.site_deployment.controller.backend_register)